45% of businesses ‘lacking formal cyber security strategy’

Cyber security is already one of the biggest issues that businesses have to face in the 21st century, but new research has revealed that less than half of organisations have a formal strategy to tackle these threats.

A report from the Institute of Directors (IoD) and Barclays found that just 45 per cent of respondents had a formal plan in place, yet an overwhelming 95 per cent said cyber security was ‘very’ or ‘quite’ important to their company.

Furthermore, 40 per cent admitted they wouldn’t know who to contact if a cyber security breach occurred, which could prove problematic for businesses as they prepare for the introduction of the EU General Data Protection Regulation (GDPR).

One of the key requirements under the GDPR is that breaches must be reported to the relevant supervisory authorities within 72 hours of the organisation becoming aware an incident has occurred.

Moving beyond awareness

John Madelin, CEO at security firm RelianceACSN, told Computer Weekly that the research shows senior leaders understand the importance of cyber security measures.

“But beyond that, they have little clue how to approach the issue,” he added.

“For some time now, it has become increasingly clear that the security industry lacks conviction, and has fundamentally failed to educate organisations in how to manage their security holistically.”

According to Mr Madelin, many businesses simply don’t understand the value of the information they possess. He recommended that a new approach was needed, including better-integrated, end-to-end information security.

The report comes soon after Lloyds of London revealed a similar lack of cyber security preparedness in a European survey of business leaders last year. The company’s ‘Facing the cyber risk challenge’ research found that 92 per cent of firms had suffered a breach within the last five years, but only 42 per cent were concerned it would happen again.

“It is reassuring that responsibility for cyber risk is sitting at the most senior level of businesses, but it is clear that too many firms do not believe that the dangers of a breach will severely impact them,” said Lloyds chief executive Inga Beale.

Boosting cyber security measures

The Lloyds research also showed that while 97 per cent of businesses had heard of GDPR, only seven per cent claimed to have known a ‘great deal’ about the regulation. Meanwhile, 57 per cent said they knew ‘little’ or ‘nothing’ about it.

IoD and Barclays provided some tips and advice for businesses hoping to strengthen their cyber security approach, which included:

  • Fully preparing for the GDPR;
  • Ensuring directors and board members are trained on cyber risks;
  • Implementing cyber awareness training for all staff;
  • Completing attack simulations to check the robustness of existing processes;
  • Encouraging employees to spot false emails and invoices;
  • Scrutinising cloud and server suppliers to check they are up to date; and
  • Considering cyber insurance options.

Organisations should also consider whether their information security teams have the skills and experience to tackle cyber threats.

Our research has revealed that only 38 per cent of security and resilience departments believe they are adequately resourced to meet the demands placed upon them.

Our 2017 Market Report combines our review of the prevailing conditions in the security & resilience recruitment market together with the results of our latest employer survey.